Other Services

Can exposing vulnerabilities in your IT environment actually makes you less attractive to attackers?

Cyber threats are like monsters under the bed. You can’t say for sure whether they’re really there or what they even look like, yet they still give you an uncomfortable feeling that they’ll creep out when you least expect it. If you close your eyes and ignore them, they might just go away.

But when it comes to cybersecurity, ignoring threats is the worst thing you can do. Hackers of all kinds reap the benefits of organisations that underestimate the risks they face, typically thinking either that they’re not an attractive target or that the hackers lack the ingenuity to breach their bog-standard defences. There’s no shortage of high profile data hacks to highlight the consequences of this approach.

When we talk to security managers, they sometimes seem pensive about probing their organisational defences. It’s better, they think, to let sleeping dogs lie and avoid poking holes where there’s been no previous cause for concern.

An anti-fragile network

This got us thinking about the concept of anti-fragility – the idea that the more a system resists attacks, the greater its robustness – and how it applies to cybersecurity. This is the same logic behind penetration testing; by actively seeking out security holes, you can find them and patch them before they become an issue. We asked ourselves this question: does exposing your network to attack make it more resilient in the event of future hacking attempts?

We decided to put this to the test with an experiment designed to show the time taken to breach a network pre- and post-vulnerability assessment. Using data from one-off penetration tests against specific targeted systems and continuous vulnerability scans against thousands of IPs, both inside networks and on the Internet, we wanted to see what the findings could tell us about our customers’ basic security hygiene.

Make the days count

To understand this, we examined 502 security assessments spanning a period of 12 months. We found that when conducting penetration testing on web environments, we could identify a ‘serious’ issue once every 3.3 days on average. When that same environment was then retested after the initial issue had been identified and patched, the time taken to find a further vulnerability increased to 21 days.

Putting this in dollar terms, the cost to an attacker , therefore,becomes nearly seven times more expensive where penetration testing has been conducted on a network. In other words, if you’re able to find vulnerabilities before your attackers do, it’ll take them far longer to uncover another one, increasing the cost for them and balancing the scales in your favour.

Putting hackers out of business

This shows the value of penetration testing and just why it helps make cyber attacks economically unviable for hackers. You need to remember that your potential attackers think like businesses too; they are professional hackers for whom the return of breaching a company’s security must be greater than the work that went into it.

You should, therefore, think about your security in this way – when the returns don’t add up, they’re less likely to put the time in to breach your systems. It pays, it seems, to be anti-fragile.